Re: [sleuthkit-users] How to simply undelete files ?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks very much for your answer.

In my case I think that it's not mandatory to use another computer, because the deleted files were placed on the third 
harddrive of my computer (/dev/hdd1), so I removed it from fstab so it should not be mounted nor armed after.
I've got enough space on other partitions on other drives to copy the recovered files (about 700 Mb : one CD) but not 
enough to put the whole output from sorter which could reach the size of the entire drive (10Go).
I just wanted to know if there was a script to recover deleted files with no particular problems : I just made rm on the 
files then shutdown the computer, and didn't mounted this partition since, I know the names of the files and their 
sizes, there are only 7 or 8 to recover. So for someone used to it it should be trivial to get them back no ?

Fra...@ps... wrote:
> 
> tech;
> 
> my suggestion would be to download (on a different computer) F.I.R.E. 
> (it's got a copy of Sleuthkit and Autopsy and it's linux.  Burn the iso 
> onto a CD, it's bootable.  Insert a 1gig (at best) thumb drive into the 
> usbport before booting, boot the computer with the deleted files using 
> FIRE.  dd the space which contains the files or use the Autopsy browser 
> to move the files to the thumb drive.  I make it sound simple but if 
> you've used Autopsy this should be pretty simple.  Keep the FIRE CD 
> handy as it's a great tool to use.
> 
> Frank Kenisky IV, CISSP, CISA, CISM
> Information Technical Security Specialist
> (210) 301-6433 - (210) 887-6985
> 
> 
> *"te...@me..." <te...@me...>*
> Sent by: sle...@li...
> 
> 01/24/2006 04:56 AM
> 
> 	
> To
> 	sle...@li...
> cc
> 	
> Subject
> 	[sleuthkit-users] How to simply undelete files ?
> 
> 
> 	
> 
> 
> 
> 
> 
> Hello everybody,
> I'm new to sleuthkit,and I've got a problem which might seem very basic 
> to most og you but I can't resolve it :
> I recently burned some files from my hard-disk to a CD / RW, then I 
> deleted these files from my hard-disk.
> When I tried to read the CD, there seems to be nothing on it.
> I wasn't able to dd an image of the cd, so I can't recover my files this 
> way.
> Then I launched autopsy on my hard-disk. Using File analysis, I can see 
> all the deleted files, but now, I don't know how
> to recover them. I don't want to use the sorter tool from autopsy 
> because I don't have enough free space to copy all the
> recovered files, only enough for the 700Mb of my deleted files.
> I would like to know what is the simple procedure to recover one by one 
> a few files which seems I good state to recover
> (as the partition where I deleted files wasn't mounted since the deletion).
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 